关键信息 1. 漏洞名称: - HM COURTS & TRIBUNALS SERVICE PROBATE BACK OFFICE UP TO C1AFE0CDB2B2766D9E24872C4E827F8B82A6CD31 MARKDOWN NOTIFICATIONSERVICE.JAVA INJECTION 2. 漏洞编号: - VDB-276270 - CVE-2024-8367 - DTSPB-4180/2614 3. 受影响的组件: - Markdown Handler - NotificationService.java 4. 受影响的版本: - c1afe0cdb2b2766d9e24872c4e827f8b82a6cd31 5. 漏洞描述: - CWE-74: Injection vulnerability due to manipulation with an unknown input. - CWE-74: The product constructs or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. 6. CVSS Meta Temp Score: - 3.4 7. 当前漏洞价格: - $0-$5k 8. CTI Interest Score: - 3.25 9. 漏洞影响: - Integrity 10. 漏洞详情: - A vulnerability was found in HM Courts & Tribunals Service Probate Back Office up to c1afe0cdb2b2766d9e24872c4e827f8b82a6cd31. It has been classified as problematic. Affected is an unknown functionality of the file src/main/java/uk/gov/hmcts/probate/service/NotificationService.java of the component Markdown Handler. The manipulation with an unknown input leads to a injection vulnerability. 11. CVE总结: - A vulnerability was found in HM Courts & Tribunals Service Probate Back Office up to c1afe0cdb2b2766d9e24872c4e827f8b82a6cd31. It has been classified as problematic. Affected is an unknown function of the file src/main/java/uk/gov/hmcts/probate/service/NotificationService.java of the component Markdown Handler. The manipulation leads to injection. Continuous delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The patch is identified as d90230d7cf575e5b0852d56660104c8bd2503c34. It is recommended to apply a patch to fix this issue. 12. 漏洞利用难度: - Easy 13. 技术细节: - Known 14. 漏洞编号: - CVE-2024-8367 15. 漏洞补丁: - d90230d7cf575e5b0852d56660104c8bd2503c34 16. 漏洞来源: - tools.hmcts.net 17. 漏洞交易平台: - github.com 18. 漏洞描述: - The advisory is available at tools.hmcts.net. This vulnerability is traded as CVE-2024-8367. The exploitability is told to be easy. Technical details are known, but there is no available exploit. This vulnerability is assigned to T1055 by the MITRE ATT&CK project. 19. 漏洞修复建议: - Applying the patch d90230d7cf575e5b0852d56660104c8bd2503c34 is able to eliminate this problem. The bugfix is ready for download at github.com. 20. 漏洞备注: - The advisory contains the following remark: --- 总结 这个漏洞是一个影响HM Courts & Tribunals Service Probate Back Office的注入漏洞,影响了Markdown Handler组件的NotificationService.java文件。漏洞的CVSS Meta Temp Score为3.4,当前漏洞价格为$0-$5k,CTI Interest Score为3.25。漏洞利用难度为易,技术细节已知,但没有可用的exploit。建议使用补丁d90230d7cf575e5b0852d56660104c8bd2503c34来修复此问题。